CVE-2026-14480

EUVD-2026-43116
OpenPLC Runtime v3 contains an authenticated arbitrary file write 
vulnerability in the legacy web UI program‑upload workflow. The 
application stores an attacker‑supplied filename (prog_file) directly 
into the Programs.File database field and later uses this value as the 
destination path for an uploaded file without validating or restricting 
the path. Because Python os.path.join() honors attacker‑controlled 
absolute paths, an authenticated user can write arbitrary files anywhere
 writable by the OpenPLC webserver process. In the default build 
pipeline, all C++ source files within the OpenPLC runtime core directory
 are automatically compiled into the executable runtime binary. By 
writing a malicious .cpp file into this directory, an authenticated 
attacker can escalate the arbitrary file write into arbitrary native 
code execution when the operator triggers a normal program compilation 
and runtime start.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.9 CRITICAL
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H